Which Are the Three Most Important Elements of Any Cyber Insurance Package?

Have you read our recent Q and A with Towergate’s cyber expert, Marc Rocker?

If you didn’t you can read it here. Here we ask him what the most important things are to look for with your cyber insurance and what happens when making a cyber insurance claim.

Which are the three most important elements of any cyber insurance package?

The fundamental thing to look for in a cyber package is the breach response. All cyber insurance policies will include this, but you need to understand what it is insurers are offering you. Some insurers have their own in-house breach response management teams available for clients whereas others will outsource it to third parties.

If you do decide to outsource, investigate how quickly you will get assistance following a breach. If you need assistance on your £500 policy but another client has a £1 million policy, are you lower on the pecking order?

The next most important cover in my mind is what we call crime or e-crime. Most claims occur due to people clicking on links in phishing emails or giving login credentials to criminal parties. If you do not have e-crime cover in place, then the cyber policy you've bought will not actually respond to quite a significant area of risk for you.

There are insurers out there who do not provide this cover. In Ardonagh, we try to avoid using said insurers as much as we can. We cannot always avoid it, but we do try, and we would always recommend that you purchase this cover because it is quite simply one of the most significant areas of risk for a business.

And then there's ransomware. Ransomware is a pressing topic – as I’ve already mentioned, even the government have issued a report on its impact on the UK economy – so it is very high up on the list of things to be concerned about.

When you’ve suffered a breach, your screen will “lock up” and tell you to pay a certain cryptocurrency within a certain time. The first thing you’ve got to work out is: how do I get hold of that cryptocurrency? You’ve then got to look at who the criminals are. There is quite a good chance that they're going to sit on one of the UK, EU, or the OFAC sanctions lists, meaning you may not legally be able to pay them even if you wanted to.

Ransomware allows the criminals to do their homework. They’ll sit in your system for a while so they'll know how much turnover you're generating and what your revenues are like, so it won't be an extraordinary amount that you simply can't afford to pay. For example, if you're turning over £1 million and these the criminals are asking you to pay £5 million, you're never going to pay it so there's no point in asking.

What they will do is set a figure which they know you can afford to pay. They know it's going to be painful, but it is a figure that that gives you a real decision to make: do I want to lose my million-pound turnover business or am I going to pay these people £250,000?

Additionally, even if you do pay the ransom, there's no guarantee that you're going to get access back to your system. You're paying a criminal yet expecting them to stand by their word. There's a massive contradiction in that thought. Your insurer will quite often know of the main criminal gang, so they will know whether you’re likely to get a percentage of the data back or whether they simply won't give it back to you, even if you do pay them.

I appreciate that all claims will be different depending on the attack but could you give a brief rundown of a cyber insurance claim? What might this look like from start to finish?

Claims can take many forms, so let’s look at one of the most common incidents: a ransomware attack.

You come into your place of work, attempt to access your computer, and find it’s locked and there’s a ransom message asking for a certain amount of cryptocurrency within a specific timeframe. It may include a threat that your data will be released to the public, or that the ransom demand will increase after that timeframe expires to add a sense of urgency.

Your insurers will do several things for you. First, they’ll engage with specialists who can do a deep dive into your system and investigate how the criminals gained access to ensure that vulnerability is eliminated in future. Then they’ll check your backups to see if they are still viable or if they have also been affected. Cyber-criminals quite often lurk in your system for months to allow their malware to permeate your backups. Once they have done this assessment, they will determine whether you need to pay the ransom.

The next question is, can you pay the criminals, or is it a case of simply ignoring them and starting to rebuild? Depending on the outcome of this conversation, they may choose to negotiate a deal with the criminals, but if the criminals are on a sanction list, then this is not going to happen. They can help you to reinstate the data either via the backups if possible, or by hiring people to manually input the data. Some insurers don’t provide all of this in their policies.

If you suffer a data breach, you have 72 hours to notify the Information Commissioner’s Office (ICO). This is something our insurers will help you to do. You may also need to notify customers or individuals if their data was stolen as part of the breach. This can be an extremely complicated process that will require PR consultants to manage the public narrative. I personally had my data stolen in a Ticketmaster attack. Following the attack, they gave me 12 months of credit monitoring on my credit cards to make sure that nothing untoward was happening.

And finally, potentially the biggest area that your insurance can offer support in is claims. You may have lost revenue while your systems were offline, and a good cyber insurance policy will help you cover that cost and any additional costs that arise off the back of the incident.